Archive

Hype, opportunists, and bad ideas are getting the spotlight after the massive breach of Sony Pictures. Most of us observers are sitting back and enjoying the schadenfreude of it all. For the general population that’s an understandable reaction; for those of us in the Information Security community it’s shameful.

Rather than take proactive, positive steps, we have sat on Twitter and watched as Sony and the Government have clumsily fumbled the situation. We often think we know what’s best, yet when our expertise would be most useful, most of us lurk in the background, sniggering to each other in our smug superiority.

In abdicating our role as ambassadors of technical literacy, we allow the story to be shaped by others. Often, those who run into the spotlight during these types of events are not experts or advocates for rational approaches, but opportunists promoting a specific agenda. The absence of a voice of reason from our community leaves a deafening silence. But don’t worry, we’ll fill that void with complaints once a solution has been enacted and we see that it won’t work.

Instead, the information security community should be engaging in the media and geopolitical discussions, injecting real solutions to solving systemic issues. We should be raising questions and bringing to light topics such as

Opportunism and fear mongering by politicians and our own industry.

Vandalism portrayed as terrorism.

The inadequacy of traditional investigative methods in cybercrime.

Statements, statistics, accusations, and claims made without supporting evidence, references, or credibility that go unchallenged.

Pre-determined attribution in hacking and geopolitics.

A geopolitical reaction to issues stemming from poor corporate oversight.

The hypocrisy of calling an attack on a film studio terrorism, while admitting to attacking military and government networks (hat tip to Jericho).

The information security industry taking $75B per year (according to Gartner) from the global economy without reduction in frequency or severity of information security incidents.

There isn’t one way to engage in the discussion, or to bring these issues (or others – and there are many others) out. However, there is a single way to fail at doing it, and that’s to fail to try. We, in the information security community, could have a great deal of influence if we chose to. When the world is powered by computers and software, those who know how to control those technologies have great power. But with great power comes great responsibility. Use it. Wisely.

UPDATE: @MarnixDekker points out that these are not really technology issues. But I counter that’s exactly the point. Why do we build technology of not to solve societal and human scale issues? If we are creating technology to its own end, others will use it as their means. We have seen where that leads, and it’s not a mistake we should be eager to make, nor naive enough to think won’t happen.

On March 20, 2013, several banking and media sites in South Korea came under attack. The attacks knocked critical systems offline at banks and media outlets. Initial suspicion pointed the finger at North Korean government, but it now appears that a hacking group may be behind the attacks. Reports are still coming in and some details may change as better understanding is gained. We will update the situation as it evolves.

Many of these computers – maybe all of them – will not come back online without lots of work. The malicious software is reported to make all the data inaccessible, either by deleting it directly or by destroying the Master Boot Record (MBR) – the table of contents, so to speak. South Korean officials and people within the affected companies are largely calling these events a “network paralysis” rather than a cyberattack or a Distributed Denial of Service (DDOS).

Initially most reports suggested that North Korea may be behind the attack. Yesterday Pyongyang derided the joint military actions of the US and South Korea and recent rhetoric from the North has been very aggressive. Last week North Korea suffered Internet outages, the cause of which are still not publicly known. But they claimed to be victims of a US and South Korean cyberattack. The South Korean government earlier claimed that the malicious code had been traced back to a location in China. However they have retracted the claim, saying that the data they had was misleading and the system was related to Nonghyup bank.

However, evidence is starting to emerge pointing to a hacking group called Whois Team. A website was posted by the group claiming to have stolen all the information and deleted it from the computers. At the moment no official reports from the US or Korean governments have identified the group they think is responsible for the attack. However Seoul has said no Korean government computers have been affected.

The information above is all from press reports. But there is doubtless much more to the events than has been reported. Most of this is likely because of the confusion that surrounds the early stages of these kinds of events. We are going to try to do some analysis, but because of language and knowledge barriers in media reporting we may come up with some conclusions that aren’t quite right. We apologize in advance and will try to be conservative with our analysis. Here are our hypotheses.

This was not an APT. Several reports have suggested that this attack was perpetrated by an Advanced Persistent Threat (APT). We suspect that this attack is one that was targeted at the victims specifically, but that the techniques were not all that advanced. Truly advanced attackers typically do not destroy the assets they have taken control of within a week of breaking in. Instead, they try to remain undetected for months or years and take information or affect normal operations for some more strategic advantage.

This was probably not North Korea. Several reports have suggested that this attack was carried out by North Korea. We suspect that this is not the case. The value to North Korea is not in shutting the systems down, but in gaining intelligence from them. And if the attack were their doing, then the “skull” website would either be unrelated or a false flag. That doesn’t seem likely. Instead, we believe that this attack was carried out by a group of amateur hackers. The allusions to Roman army structure, however, may be a sign that this activity is a military action but it seems implausible that North Koreans would use a Roman term, given their level of nationalism. But it is entirely plausible that North Korea enticed the Whois Team to carry out the attack.

There may be a Middle-Eastern and North African connection. The type of malicious software used, called “wipers”, has been seen in other attacks. Two of these attacks highlighted by Kaspersky have a Middle-Eastern connection. The skulls image that the Whois Team used has also been used in other attacks against Middle Eastern targets by French-speaking Muslim groups Xrapt0r and Mauritania Hacking Team (links withheld). It’s too early to say if there is a link, but circumstantially it appears that there is. If there is a connection, it may be that the attackers were hired by others in order to cover their tracks. It is also possible that the link is a false flag, designed to throw investigators off.

The LG U Plus link is significant. We don’t believe it is a coincidence that the same service provider counted all of the victims as customers. There are hundreds of ways that an attacker could use this relationship to infect customers with malware. It may not be related to Internet services, but others such as desktop maintenance or server administration. It’s too early to say. But that link could be a red herring. It’s not clear to us whether LG U Plus provides services for other major Korean banks and media outlets or not. It may, in fact, be that LG U Plus is simply the largest Internet and Computer Services company in Korea and that everybody uses them.

This event will end up costing hundreds of millions of dollars. The way in which these computers were affected means there will likely have to be a lot of work that goes into fixing them. That means lost productivity – the largest cost – as well as time from the IT department and other cleanup costs. And there will doubtless be outside investigations to pay for, government oversight questions to answer and purchases made to prevent this kind of thing from happening again. The companies will undoubtedly lose revenue because of these attacks. And any data that isn’t backed up will be lost or will have to be recreated.

There may be more waves of attack. The second (PRINCIPES) variant found strengthens the case that the attacks will proceed in waves. As of yet it is not known if the second variant was a part of the first wave or whether it will cause an impact later. To complete the Roman military structure a third variant should be expected, using the word TRIARII.